How hackers can drain your frequent flyer miles

The airline miles you’ve racked up over the years can disappear with the click of a mouse.

There is a growing black market for frequent flyer accounts on the dark web, technology comparison site Comparitech reported Wednesday. Half a dozen online marketplaces host listings made by criminals to resell miles they have obtained from frequent flyer accounts through hacking and data breaches, said Paul Bischoff, editor at Comparitech.

The theft is particularly appealing to scammers because it’s hard to detect, he said. “It’s similar to credit-card fraud in that the victim is unlikely to notice until they check their account to find their miles gone, or the thief triggers the fraud prevention system,” Bischoff said. “Because most of us don’t regularly check our frequent flyer accounts until it’s time to spend them down, the theft can go unnoticed for months or years.”

‘It’s similar to credit-card fraud in that the victim is unlikely to notice until they check their account to find their miles gone.’
Paul Bischoff, editor at Comparitech

The stolen miles cannot be used for travel directly, because booking a flight usually requires identification that matches that of the passenger, but thieves can sell the points for cash or gift cards with online services. They can also transfer the miles from one account to another. Many mileage programs have options to sell points in exchange for gift cards. Websites like Points, a wallet for frequent-flyer points, lists such options for gift cards from Best Buy and Amazon
AMZN, +2.01%

Delta SkyMiles
DAL, +1.07%
and British Airways were the most frequently listed on the Comparitech report, which named 27 airlines whose customers had been affected by these hacks. “The security of our customer data is our highest priority, and we work with any customer who believes their SkyMiles account may have been compromised,” a Delta spokesman told MarketWatch. British Airways did not respond to request for comment.

As major hacks like the Equifax
EFX, -2.18%
breach expose more personal details, it is becoming easier to steal frequent flyer miles, according to Dan Pierson of Bolt Collective, a group travel experience company.

“Most people don’t worry about their frequent flyer accounts as much as their bank accounts, and don’t take security as seriously,” he said. “The currency can be stolen just the same with a bit of basic info like name, date of birth.”

‘Like e-commerce loyalty points, ticket miles are easy to transfer and sometimes difficult to trace.’
George Avetisov, CEO of HYPR

One British Airways account with 100,000 miles was listed for sale on the dark web for $107, the study found. A Delta account with 45,000 miles was on sale for $884. Airline points are typically worth between one and two cents each, so 100,000 miles for $107 is a small fraction of the value.

Ticket scams go back to the 1990s, said George Avetisov, chief executive officer of decentralized authentication firm HYPR. In 2015, more than 10,000 customer accounts at American Airlines
AAL, +4.68%
were compromised and travel points were affected. United
UAL, +1.84%had a similar issue with three dozen accounts that same year.

“Like e-commerce loyalty points, ticket miles are easy to transfer and sometimes difficult to trace,” Avetisov said. “Until we see better authentication for airlines this problem will remain.

A spokeswoman from Airlines for America, the trade group representing airlines, said it is continuing to take measures to prevent such hacks.

“The U.S. airline industry takes data security seriously and continues to work collaboratively with cyber-security experts to identify potential vulnerabilities, taking necessary precautions to keep systems secure and investing in IT systems and protective measures to safeguard passenger information,” she said.

Consumers can reduce their risk of being targeted with frequent-flyer fraud by practicing basic security hygiene: use strong passwords, preferably stored in a password manager. Frequently change passwords, and use two-factor authentication. Never post a photo of your boarding pass online, don’t put your airline account number on a baggage tag, and shred your boarding pass after flights. The barcode on airplane boarding passes holds a lot of hackable information, including name, frequent flyer number, and future travel plans.

Get a daily roundup of the top reads in personal finance delivered to your inbox. Subscribe to MarketWatch's free Personal Finance Daily newsletter. Sign up here.

Intraday Data provided by SIX Financial Information and subject to terms of use. Historical and current end-of-day data provided by SIX Financial Information. All quotes are in local exchange time. Real-time last sale data for U.S. stock quotes reflect trades reported through Nasdaq only. Intraday data delayed at least 15 minutes or per exchange requirements.